Tuesday, 23 April 2013

Exchange 2013 Deployment Assistant Updated

The excellent tool that is the Exchange 2013 Deployment Assistant has just been updated to include details for coexistence with Exchange 2007 and Exchange 2010 organisations.

If you haven't used the deployment assistant previously it is a web based tool that provides checklist based step-by-step instructions for Exchange installation, coexistence and migration scenarios for on premises organisations and hybrid configuration steps for working with Office 365.

The tool in its previous guise also provided this information for coexisting with and migrating to Exchange 2010 from Exchange 2003/2007 and the landing page with links to both tools can be found here: Microsoft Exchange Server Deployment Assistant

Friday, 19 April 2013

Get Internal and External URLs for all Exchange Virtual Directories

I've just had to check all the virtual directory URLs for a large Exchange implementation.  Due to the geographical locations of some of the servers the Get-*VirtualDirectory takes a while to execute so a quick script was required:
 $virtds = "ECP,OWA,OAB,WebServices,Activesync"  
 $array = $virtds.split(",")  
 foreach ($i in $array) {  
 $j = "Get-"+$i+"VirtualDirectory"+" | fl name,server,internalurl,externalurl"  
 iex $j   
The space between the " and | is intentional as you could add -Server in there if you wanted to list all the virtual directories on a particular server.

iex is the alias for Invoke-Expression which I have never found a use for until now.

Wednesday, 17 April 2013

"You must be assigned a delegating role assignment" Error

When you attempt to add a role to a user or group in Exchange 2010 or 2013 the following error is displayed:

You don't have access to create, change, or remove the "<Role>" management role assignment. You must be assigned a delegating role assignment to the management role or its parent in the hierarchy without a scope restriction.

Run these commands in the Exchange Management Shell:
 Add-pssnapin Microsoft*  

Relaunch Exchange Management Shell

Wednesday, 10 April 2013

Exchange 2013 IRM Configuration

These are the initial steps to configure AD RMS to support Information Rights Management in Exchange 2013 which I've collected here as TechNet has this information but it is spread over multiple articles.


Exchange 2013 is installed and operational (the steps will also work with Exchange 2010)
AD RMS is already configured and a valid certificate is installed on that server which includes the FQDN used in the Certification and Publishing URIs.  The AD RMS server is running Windows Server 2012 but Windows 2008 R2 is also supported.


1. Create a distribution group with the Federation mailbox as its only member
 New-DistributionGroup AdRmsSuperUsers  
 Add-DistributionGroupMember AdRmsSuperUsers -Member FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042  

2. Enable Super Users in AD RMS
2.1 In Active Directory Rights Management Services console, expand the AD RMS cluster.
2.2 Expand Security Policies then click Super Users.
2.3 Click Enable Super Users in the action pane
2.4 Click Change Super User Group
2.5 Type the email address of the AdRmsSuperUsers distribution group or click Browse to search for it.

3. Add Permissions to the AD RMS Server Certification Pipeline File
On the AD RMS server change the security of ServerCertification.asmx, located by default in C:\inetpub\wwwroot\_wmcs\certification\.  Both the Exchange Servers and AD RMS Service Group groups need Read & execute permissions to this file.

The default permissions are System:Full Control so these steps will be required:  On the Security Tab | Advanced | Continue | Add | Select a principal | Exchange Servers | OK.  Do the same for the AD RMS Service Group.

4. Enable Internal Licensing

Finally run this command in the Exchange Management Shell to enable IRM Internal Licensing:
 Set-IRMConfiguration -InternalLicensingEnabled $True  


Run this command in the Exchange Management Shell:
 Test-IRMConfiguration -Sender you@yourdomain.com  

If successful the output will look like this:
Now in Outlook you will see Set Permissions as an option when composing a mail.  This is what is displayed in OWA after the "Do not forward" permission is set on a new message:

More information on IRM can be found here: Information Rights Management in Exchange 2013

Tuesday, 2 April 2013

Exchange 2013 CU1 Released - 2007/2010 Coexistence Now Supported!

Microsoft has released the first quarterly cumulative update for Exchange 2013 and it can be downloaded from this link.

For the installation details and link to the release notes take a look at the Exchange Team Blog.